Is it SPIT Yet?

I’ve been hearing for awhile about the anticipated tsunami of malicious attacks waiting in the wings to crash down on VoIP networks and users.

But I personally haven’t seen any yet. In fact, my incoming junk communications are the usual email offers for cheap Viagra from Consuelo Sneed and urgent requests from “Ebay Center of Payments” for “updating your payments informations.” I have yet to see any SPIT or SPIM homing its way to me.

So I decided to ask some of the experts if the predictions are coming true.

“As more and more companies adopt VoIP, we’ll see the same kind of attacks that were against PBX systems 10 years ago,” Turner says. “It’s just more difficult to detect.” Although the study doesn’t distinguish voice networks, it’s telling that telecoms were the third most popular target for denial of service attacks.

One of the new fraud types Turner sees is ‘vishing.’ It works like phishing only instead of impersonating a legitimate website, the fraudster impersonates – “spoofs” – a legitimate phone number.

Let’s say I’m a hacker and you work in accounting. I call you and tell you I’m in IT and that I need your user ID and password. Because you see the name and number of the IT department, you’re more likely to give me the information I’m looking for.

There are not too many solutions in place for voice, Turner says. Solutions like SIP firewalls haven’t been widely adopted.

“Part of the problem when you put security in front of voice you degrade service,” Turner says. “People make a choice for voice quality.” Best practice for VoIP networks? “Separate voice and data on the network,” says Turner.

The VoIP security conversation focuses on hackers. But what about when the government wants to listen in? The UKâ€™s register has a story today about Swiss security technology company ERA ITâ€™s Superintendent Trojan which snoops on VoIP calls like aâ€¦virus. In addition to listening in, Superintendent Trojan can also surreptitiously operate Webcams and microphones. The company says that it will only sell the technology to government agencies. But as weâ€™ve learned in the U.S. with the Bush administration, thatâ€™s no protection at all.